Daily Tech Digest - November 25, 2016

Corporate governance is more than a good infosec policy

When it comes to governance, many CISO's begin with policy and procedures as their first action items. Undoubtedly, corporate security policies are “must have” pieces of any organizational security posture, and after all, most C-level executives pride themselves on their ability to communicate and convey important topics to an audience. As such, they feel policy is a great fit for them to introduce and remind employees about the importance of security.  The policies might contain, for instance, rules about data storage / sharing, password complexity, access control permissions (who may access data, where they may access it from, and who manages the controls and data storage beyond them), and other items to which the consistent application or adherence is required to ensure that the IT infrastructure is kept secure.


7 open source security predictions for 2017

The flip side of the open source coin is that if you’re using open source, the chances are good that you’re also including vulnerabilities known to the world at large. Since 2014, the National Vulnerability Database (NVD) has reported over 8,000 new vulnerabilities in open source software. Vulnerabilities in open source are particularly attractive to attackers. The ubiquity of the affected components, the public disclosure of vulnerabilities (often with sample exploits) and access to the source code make the attacker’s job simpler.  In addition, without a traditional support model, users are typically unaware of new updates and vulnerabilities in the open source they’re using. Putting on my prognosticators’ hat, here are some events around open source and open source security that I wouldn’t be surprised to see in the coming year.


The Open Group - A CIO-Level View of IT4IT

Dan Warfield, Principal, CC&C Europe.- A CIO-Level View of IT4IT™. Dan is an entrepreneur, strategist, innovator and enterprise architect, whose recent experience includes creating the IT4IT-based reference architecture / operating model for a Fortune 50 company. In more than 30 years of IT leadership experience, he has been a solution executive, innovation leader and product manager for five global IT software / services companies including IBM and CSC, and worked as an independent strategy adviser.


Women in Information Security: Jess Dodson

For women who are currently in the field or wanting to be in the field, it’s about flexible work arrangements, paid maternity and carer leave, and management that’s understanding. Because while it sounds so very “old school,” women are still the primary carers in families. Also, they’re the ones who have to carry around a baby for ten months and need time to recuperate after all that! But I think it starts much earlier than that. I think we need to get into schools. We need to teach young girls that computers and math and science aren’t just for boys. They’re for girls. They’re fun and cool, and if that’s what they like to do, then they should do it. I’m trying to find a way to become a mentor or a spokesperson locally for young girls to show them that you can be a girl and be good at computers.


What is Intercloud?

Intercloud, as the name suggests, is a network of clouds that are connected with each other in some form. This includes private, public, and hybrid clouds that come together to provide a seamless exchange of data, infrastructure, and computing capabilities. In many ways, it is similar to the Internet- the network of networks that power the world today. This concept of Intercloud was started as a research project in 2008 at Cisco, and it was later taken over by the Institute of Electrical and Electronics Engineers (IEEE). It is based on the idea that no single cloud can provide all the infrastructure and computing capability needed for the entire world. Also, if a cloud does not have a presence in a particular geographic region, but gets a request for storage or computation, it should still be in a position to fulfill it.


Navigating legacy: Charting the course to business value

The CIO is well positioned to influence and support the whole digital iceberg and to help create the right strategy, platforms, and services to realize a holistic digital enterprise rather than a collection of disjointed departmental investments. If we are correct in our hypothesis that many business priorities are related to the digital agenda, then CIOs can be more responsive to bridging current gaps.  ... Globally, CIOs as a group are surprisingly similar in many of their personality traits and working styles (figure 2). Some of the top seven traits among CIOs may seem counterintuitive if one views the CIO simply as a technology steward. But, above and beyond their role as IT leader, CIOs are business leaders, and all seven traits are important in helping them succeed in their business leadership role.


The Laws of Cyber Threat: Diamond Model Axioms

Many confuse the purpose of the Diamond Model. Most believe the Diamond Model exists for analysts, but that is an ancillary benefit. Instead, think of the Diamond Model like a model airplane used to study the principles of aerodynamics. It is not an exact copy but rather a good approximation of the full-scale airplane being studied. The model exposes elements to test and study in a controlled environment improving the performance of the plane in an operational environment. The Diamond Model does the same, except for cyber threat analysis. When describing the Diamond Model to others, I usually start with, “we didn’t create the Diamond Model, we simply expressed some fundamental elements which always existed.” Surprisingly, I learned while writing the Diamond Model how exposing this fundamental nature improved cyber threat intelligence.


The new cybersecurity war takes shape

The stakes could not be higher. With financial data, medical records, intellectual property, and even military information in constant motion around the globe, our entire way of life depends on the security of our data. The expanding internet of things opens a new realm of vulnerable systems, and raises for the first time the prospect that hackers and spies can inflict immediate physical damage on their targets. The news gives us little cause for optimism. Recent data breaches demonstrate the ability of hackers to steal information on hundreds of millions of people at once (Yahoo) and to compromise data with implications for national security (US Office of Personnel Management). Anyone with the right technical skills and an agenda—activist hackers, corporations, nation states, terrorist cells—has the potential to wreak havoc on a worldwide scale.


Data manipulation heralds a new era of hacking

The repercussions of this sort of hack can be devastating for a business. If future planning, investments or purchases are made based on incorrect information, then not only could those decisions be wrong for the business, but there may be legal and financial consequences if it appeared that fraudulent behaviour had taken place. An example of this would be if the data that farmers use to determine soil pH levels, and therefore which crops to plant, were to be manipulated. Investors and businesses spend considerable amounts of money supporting the forecasted crop yields and, should that be based on altered data, then it could be financially crippling for the farmer and local businesses – while hackers could use this to purchase stocks and make a profit.


Open source talent in Europe – in great demand, and hard to find

Europeans, it turns out, are even more confident than their global counterparts in the open source job market. Of over one thousand European respondents, 60 percent said they believed it would be fairly or very easy to find a new position this year – as opposed to only 50 percent saying it would be easy globally. In fact, half of the Europeans reported receiving more than 10 calls from recruiters in the six months prior to the survey, while only 22 percent of respondents worldwide reported this level of engagement. While worldwide, 27 percent of respondents received no calls at all from recruiters, only five percent of Europeans said the same. Companies and organisations know that that they need to establish, build and sustain open source projects; they also know that for such projects to be successful, they must possess a level of sophistication that solicits support from developers.



Quote for the day:


"Positive thinking will let you do everything better than negative thinking will." -- Zig Ziglar